Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting "top 3" (Windows) processes, sorted by CPU usage, when CPU usage goes over xx%

so_edv1
New Member
‎03-08-2019 12:51 AM

Hello everyone,

Pretty new to Splunk and, to be honest, I'm going under in work so I don't have time to work myself in a lot 😕 and so I hoped someone could help me with something, I somehow couldn't find some solution for..

We. I. want to monitor our VDA Servers and get informed / an e-mail once the CPU usage goes over a certain amount. Let's say 70%.

This shouldn't happen. But of course sometimes it does. And we want to know through which process.

So we basically want to get a short e-mail.

"Hey. CPU load on X is over the limit.

Here are the top 3 processes, sorted by CPU load produced:

  • MS Teams - 30%
  • Chrome - 25%
  • Outlook 20%

"

Is there a pre-made solution someone knows? Or a powershell script?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-08-2019 06:00 AM

First, you must have performance data from your VDA servers indexed in Splunk. You can use a universal forwarder to send perfmon:CPU events to do that.

[perfmon://Processor]
object = Processor
instances = _Total
counters = % Processor Time;% User Time
interval = 60
disabled = 0

Once you have the data, it's easy to craft a search that runs every few minutes to look for servers with high CPU utilization. 

index=windows | stats sum('% Processor Time') as PctCPU | where PctCPU > 70

See https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/MonitorWindowsperformance for details.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-08-2019 06:00 AM

First, you must have performance data from your VDA servers indexed in Splunk. You can use a universal forwarder to send perfmon:CPU events to do that.

[perfmon://Processor]
object = Processor
instances = _Total
counters = % Processor Time;% User Time
interval = 60
disabled = 0

Once you have the data, it's easy to craft a search that runs every few minutes to look for servers with high CPU utilization. 

index=windows | stats sum('% Processor Time') as PctCPU | where PctCPU > 70

See https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/MonitorWindowsperformance for details.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

so_edv1
New Member
‎03-10-2019 11:51 PM

Sorry for the late reply, hope everyone had a nice weekend 🙂

Going to try this out.

Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...